Friday, June 24, 2011

More than at any time in the past decade, privacy hearings and proposed legislation are spreading across Capitol Hill. Until now, you could always make money betting against a privacy law passing in Congress. Today, many experts are saying that momentum is building for major legislation, although the shape of that legislation is still unclear.

This round of privacy action is driven by three historic trends, plus other factors that are coming together now.

First is location data. While Apple’s Steve Jobs called the Android a “probe in your pocket,” Apple itself has been brought before both the Senate Judiciary and Commerce committees to try to explain why it was collecting detailed location information on the iPhone. For the first time in history, most Americans are carrying a tracking device — a cell phone — with them in their daily lives. There is great uncertainty about who gets to see that tracking information, including for advertising and law enforcement purposes.

Second is social networking. Facebook has gone from nothing to half a billion users in only a few years. The social networks point out that users voluntarily put that incredible amount of material up on the sites. But this is all so new that the rules of the road are not yet clear.

Third is online behavioral advertising. The Wall Street Journal ran a major series showing the astonishing range of ways that companies can track your activity on the Web — even if you turn off cookies and try to stay anonymous. The companies say that this data is benign, because computers simply choose which ads to show you. Privacy advocates, though, say that these databases give unprecedented insight into what we read and how we think, leading to a scary potential of misuse down the road.

Along with these three mega-trends, Congress is seriously considering federal data-breach legislation, to harmonize state laws and address the Sony PlayStation and other high-profile recent breaches. Major cloud computing companies and civil liberties groups are supporting the Digital Due Process Coalition, which favors a judicial search warrant before law enforcement can gain access to the exabytes of data stored in the cloud. And, there is pressure on the international front, as the European Union considers tightening its own data privacy laws and as India, Mexico and other countries are in the process of putting EU-style privacy laws on the books.

A flashpoint for action could be children’s privacy, where family-values Republicans and consumer-protection Democrats can most easily come together politically. Mark Zuckerberg has publicly discussed bringing under-13s directly into Facebook, but no one knows with what rules. Reps. Edward Markey (D-Mass.) and Joe Barton (R-Texas) have released a discussion draft of the “Do Not Track Kids Act of 2011” to offer the choice not to have behavioral advertising and related tracking for those under the age of 13. And no one knows who will get to see the location information of children — parents will and stalkers won’t, but there are still-to-be-developed rules for those in-between. On June 27, the Center for American Progress will host an event highlighting children’s privacy issues, called “Tracking: Where you are, what you see, and what you do.”

The biggest legislative question might be whether to go with general privacy principles or sector-specific rules. For the first time in history, the administration itself has come out in favor of broad-based privacy legislation for the private sector. The closest fit to the administration vision is the Kerry-McCain “Commercial Privacy Bill of Rights,” which notably would provide individuals with the legal right to opt out of having their information shared for marketing purposes. This sort of general legislation contrasts with sector-specific proposals, such as a recent bill by Sens. Al Franken (D-Minn.) and Richard Blumenthal (D-Conn.) that targets smartphone location information.

With the convergence of all of these technical changes, the current period most resembles the late 1990s. At that time, Congress approved sector-specific laws for medical privacy (HIPAA) and financial services (Gramm-Leach-Bliley), but held off on a general law to protect privacy on the Internet. With so many sectors having specific laws by now, however, the time may well be ripe for a bill that provides basic privacy protections more generally.

Swire was chief counselor for privacy to former President Clinton and served in the National Economic Council under President Obama. He is now a law professor at Ohio State and a fellow with the Center for American Progress and the Future of Privacy Forum.

Recently, the value of de-identification of personal information as a tool to protect privacy has come into question. Repeated claims have been made regarding the ease of re-identification. We consider this to be most unfortunate because it leaves the mistaken impression that there is no point in attempting to de-identify personal information, especially in cases where de-identified information would be sufficient for subsequent use, as in the case of health research.

The goal of this paper is to dispel this myth — the fear of re-identification is greatly overblown. As long as proper de-identification techniques, combined with re-identification risk measurement procedures, are used, de-identification remains a crucial tool in the protection of privacy. De-identification of personal data may be employed in a manner that simultaneously minimizes the risk of re-identification, while maintaining a high level of data quality. De-identification continues to be a valuable and effective mechanism for protecting personal information, and we urge its ongoing use.

In this paper we illustrate the importance of de-identifying personal information before it is used or disclosed, and at times, prior to its collection. We will demonstrate that, contrary to what has been suggested in recent articles, re-identification of properly de-identified information is not in fact an “easy” or “trivial” task. It requires concerted effort, on the part of skilled technicians. The paper will also describe a tool that minimizes the risk of the re-identification of de-identified information while also enabling a high level of data quality to be maintained. Our objective is to shatter the myth that de-identification is not a strong tool to protect privacy and to ensure that organizations that collect, use and disclose personal information understand the importance of de-identification for the protection of privacy, and continue to use this tool to the greatest extent possible to minimize potential risks. While our primary focus in this paper is on the value of de-identification in the context of personal health information that is used and disclosed for secondary purposes, the same arguments apply in the broader context of personal information.

Abstract:
Recently there have been calls to clarify ownership of data held in large health information networks. This article explores the realities of what patient data ownership would imply to explain why a clearer allocation of entitlements to raw health data would neither enhance patient privacy nor promote access to valuable data resources for public health and research. It updates the debate to account for the 2009 HITECH Act, which correctly recognized that raw patient data are not the valuable resource; these data acquire value only through the application of infrastructure services. The HITECH Act drew on a long tradition of American infrastructure regulation that offers real promise in resolving the infrastructure bottlenecks which (rather than the unresolved status of data ownership) have been the key impediment to data access. Despite this progress there are two unresolved problems, both heretofore neglected in the literature:

First, the existing federal regulatory framework governing data access conceives the state’s police power to use data to promote public health much more narrowly than the police power is conceived in all other legal contexts.

Second, existing regulatory provisions allowing nonconsensual access to data for research fail to incorporate any “public use” requirement to ensure that unconsented research uses of data are justified by a publicly beneficial purpose. As things stand, persons whose health data are used in research have no assurance that the use will serve any socially beneficial purpose at all. This article reframes the debate. The right question is not who owns health data. Instead, the debate should be about appropriate public uses of private data and how best to facilitate them while adequately protecting individuals’ interests.